There are a number of applications in which a third party needs to monitor traffic on a high bandwidth telecommunications link. In some cases, the monitoring must be done in real time or near real time. For example, tracking mobile devices in an environment that does not require the participation of the mobile operator or the cooperation of the mobile user can enable law enforcement personnel to follow the movements of a person of interest. Such methods rely on decoding a portion of the communication packets exchanged between the cell transmitter and the mobile device to determine which mobile device belongs to the person of interest.
In the case of the mobile tracking system, the problem is simplified by the fact that the protocol being used between the cell and the mobile device is known. However, if there are a number of different protocols that are being used on the communication link, the problem becomes much more challenging. In addition, if the packets must be decoded in real time, the volume of data on many communication links coupled with the lack of prior knowledge of the formats of the packets make conventional decoding techniques economically unattractive.
The typical 3G mobile stack could be in excess of 50 protocols where each protocol's formal specification could be in excess of 30 pages of text. Some are much more. In addition, there might well be multiple concurrent versions of a protocol potentially active and in some cases protocols are deliberately altered; either for convenience so that they interoperate correctly with other protocols, or for simply malicious reasons. In addition, a protocol could be used in undocumented ways and is not necessarily self-describing. To be successfully used to communicate data from a sender to a receiver, those layers that are not needed for transport of the packets can be used in any manner that the sender and receiver agree upon. A third party observing the “conversation” has a limited ability to deal with non-self describing protocols.
Further, there are a number of protocols that are similar to one another, and hence, difficult to distinguish from one another. Finally, in some circumstances the telecommunications link being monitored may exhibit a poor signal-to-noise ratio so that the data on the link has a significant bit error rate. Hence, a system cannot rely on the protocol's own “correct” specification when attempting to identify obfuscated protocols or protocols in which the packets have significant errors within the packets.
Even in cases in which the protocols cannot be completely decoded, it would be advantageous to provide decoding of some of the fields, as these fields may be sufficient for the goals of the monitoring system. For example, in a cellular tracking scheme, only the fields that identify the mobile device are necessary for the tracking operation to be successful.